Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing SQL Server 2016 Databases

Published byEugenia Lilian Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing SQL Server 2016 Databases"— Presentation transcript:

1 Securing SQL Server 2016 Databases
Gianluca Hotz @glhotz

2 Sponsors

3 Organizers

4 Gianluca Hotz | @glhotz
Fondatore e Mentor SolidQ 20 anni con SQL Server (dalla 4.21 nel 1996) Modellazione basi di dati, dimensionamento e amministrazione, sviluppo, ottimizzazione Interessi Modello relazionale, architettura DBMS, alta disponibilità e Disaster Recovery Microsoft MVP SQL Server dal 1998 Fondatore e presidente UGISS User Group Italiano SQL Server (PASS Chapter)

5 Agenda Introduction Always Encrypted Row-level Security Data Masking

6 Securing SQL Server 2016 Databases
Introduction

7 Security Layering Data Encryption Data Access Access Control
Proactive monitoring Transport Layer Security (in transit) Transparent Data Encryption (at rest) Cell-Level Encryption (at rest) Always Encrypted (at rest and in transit) Data Encryption Dynamic Data Masking Row-Level Security Data Access Encrypted Authentication SQL Firewall* Access Control Auditing Threat Detection* Proactive monitoring

8 Always Encrypted Securing SQL Server 2016 Databases
Always Encrypted

9 Encryption Before 2016 Transparent Data Encryption (TDE)
Data, log and backup files Data decrypted when loaded in memory* Fully transparent to applications Cell-Level Encryption (CLE) Column level granularity Partial protection in memory Not transparent to applications Both Server-Side Encryption Protect data at rest (e.g. theft of drives or backup sets) High privilege users can gain access to data Both server-side, protects from stolen files but not attack in memory AES-NI support is new in SQL Server 2016, before an alternative could be to use Bitlocker with AES-NI support Partial protection in memory by CLE is provided because ENCRYPTBYKEY/DECRYPTBYKEY still needs to be used High privilege users can be local admin or admin at the hosting site

10 Always Encrypted Overview

11 Always Encrypted Keys Column Encryption Key (CEK)
Used to encrypt data Stored in encrypted form as metadata on server Bound to specific column(s) Column Master Key (CMK) Used to encrypt CEKs Stored in a external key store Windows Certificate Store, Azure Key Vault, HSM, Custom Must be available to applications Custom example: can store the key in Amazon and build a custom store provider

12 CMK Encryption Deterministic Randomized
Allows equality/grouping/join operations Allows indexing Weaker e.g. small value domains like Sex or Flags Requires _BIN2 collation! Randomized No operations allowed No indexing Strongest Custom example: can store the key in Amazon and build a custom store provider

13 Always Encrypted Configuration
SQL Server Management Studio End-to-End Wizard Specific dialogs Rotation scenarios supported Only part of the configuration in T-SQL Unencrypted CMK available only externally PowerShell

14 Always Encrypted Client Configuration
Connection String Column Encryption Setting=Enabled Single Command SqlCommand.ColumnEncryptionSetting* Disabled, Enabled, ResultSetOnly, UseConnectionSetting ResultsSetOnly decrypts only the result set without calling the stored procedure to get encrypted keys metadata (useful when you’re using parameters on columns that are not encrypted)

15 Always Encrypted Parameters
Parametrized statements requires round-trip Call to sys.sp_describe_parameter_encryption Returns columns keys metadata and encrypted key .NET Framework avoid round-tripping by implementing a cache on the application-tier In general No ad-hoc queries with literal predicates No operations involving cyphertexts and plaintexts Nothing that requires unencrypted data on server

16 Always Encrypted Demo

17 Row Level Security Securing SQL Server 2016 Databases
Row Level Security

18 Row Level Security Overview
Restricts access to a subset of rows Based on Security Predicates Defined as inline Table-Valued Functions Filter predicates restrict rows to read operations SELECT, UPDATE and DELETE Block predicates block write operation AFTER INSERT, AFTER/BEFORE UPDATE, BEFORE DELETE Security Policy Applies Security Predicates to tables

19 Row-Level Security Database Security Policy Application Patients
Uno Policy manager creates in T-SQL a predicate to filter data based on user ID and a security policy that constrains the predicate to the Patients table. Tre Security Policy transparently re-writes the query applying the predicate. Due The user (e.g. the nurse) selects from the Patients table. Nurse Database Policy Manager Filter Predicate: INNER JOIN… Security Policy Application Patients CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT * FROM Patients SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;

20 Row-Level Security & Multi Tenancy
Restrict tenant access when shards shares same tables Assuming there’s a column identifying the tenant Image source:

21 Row Level Security Demo

22 Dynamic Data Masking Securing SQL Server 2016 Databases
Dynamic Data Masking

23 Dynamic Data Masking Masking Rule/permission based
Table.CreditCardNo Masking Real-time Different mask type Partial masks Rule/permission based Column level Permissions to unmask Azure configuration in portal SQL Database

24 Dynamic Data Masking Demo

25 Dynamic Data Masking Functions
Default Type dependent ‘X’, 0, :00: Random Integer range Custom String Prefix length, [padding char], suffix length

26 Dynamic Data Masking Permissions
CRATE and ALTER table ALTER ANY MASK (w/ ALTER on table) UNMASK Can still update data!

27 Dynamic Data Masking Gotchas
Beware when moving data Export/Import SELECT…INTO INSERT…SELECT…FROM Brute-force techniques Value inference with range predicates Domain table

28 Azure SQL Database Only
Securing SQL Server 2016 Databases Azure SQL Database Only

29 «SQL Database Auditing»
Similar to SQL Server Audit No T-SQL support (portal, PowerShell, REST API) Events destinations Table in “Azure Storage Table” File in “Azure Storage Blob” Analysis Extended Events file (SSMS, PowerShell, C# library) Pre-configure Excel file with Power Query

30 SQL Database Threat Detection (preview)
Simple per-database option to activate Requires activation of “SQL Database Auditing” Detects potential threats/vulnerabilities “SQL Injection” kind of attacks Unusual accesses (e.g. from unusual places) Alarms Real-time Recommendations on what to investigate/how to mitigate/remediate

31 Azure Security Center Service to manage security resources in Azure
Recommendations also for Azure SQL Database Encryption (e.g. TDE) Audit & Monitor (e.g. Server/Database Auditing) Dynamic Data Masking (e.g. sensible data) Demos in

32 Resources Documentation SQL Server Security Blog MVA Course
SQL Server Security Blog MVA Course GitHub Samples

33 #sqlsat589 Thanks! Q&A

Download ppt "Securing SQL Server 2016 Databases"

Similar presentations

Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Database Security & Encryption

1 Database Security & Encryption
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
SEC835 Practical aspects of security implementation Part 1.

SEC835 Practical aspects of security implementation Part 1.
Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.

Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.
Mirek Sztajno SQL Server Security PM

Mirek Sztajno SQL Server Security PM
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Kristina Rumpff Securing Data on your Terms DAT33 1.

Kristina Rumpff Securing Data on your Terms DAT33 1.
SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand

SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand
C Copyright © 2007, Oracle. All rights reserved. Security New Features.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 SQL Server 2016 New Security Features Gianluca
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.

SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.

Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.
Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.

Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.
Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.

Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.
End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.

End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.

Similar presentations

Ads by Google